CVE-2024-13751 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the 3D Photo Gallery plugin for WordPress developed by labibahmed42. This vulnerability affects all plugin versions up to and including 1.3. The root cause is insufficient sanitization and escaping of user-supplied input passed through the 'des[]' parameter, which is used during web page generation. Authenticated attackers with at least Subscriber-level privileges can exploit this flaw by injecting arbitrary JavaScript code into the plugin's pages. Because the injected scripts are stored persistently, they execute automatically whenever any user accesses the affected page, without requiring further interaction. The vulnerability impacts confidentiality and integrity by enabling script execution that could hijack user sessions, steal cookies, or perform unauthorized actions on behalf of users. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and a scope change. No patches or official fixes have been linked yet, and no known exploits are publicly reported. This vulnerability highlights the risks of improper input validation in WordPress plugins, especially those that allow user-generated content or input from lower-privileged users. Organizations running this plugin should assess exposure, restrict user privileges where possible, and monitor for suspicious activity until a patch is available.

The vulnerability enables attackers with minimal privileges (Subscriber-level) to inject persistent malicious scripts into WordPress sites using the 3D Photo Gallery plugin. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and potential site defacement. Because the scripts execute automatically for any visitor of the infected page, the impact extends beyond the attacker to all site users, increasing the risk of widespread compromise. The integrity and confidentiality of user data are at risk, though availability is not directly affected. For organizations, this can result in reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The medium CVSS score reflects the need for authentication but no user interaction, making exploitation feasible in environments with registered users. The lack of known exploits in the wild suggests limited current active attacks but also means organizations should act proactively to prevent future exploitation.

1. Immediately restrict or review user roles and permissions to limit Subscriber-level users from submitting untrusted input until a patch is available. 2. Apply strict input validation and sanitization on the 'des[]' parameter to remove or encode potentially malicious scripts. 3. Implement robust output encoding/escaping on all user-supplied data rendered on pages to prevent script execution. 4. Monitor web server logs and application logs for unusual input patterns or script injection attempts related to the 'des[]' parameter. 5. Use Web Application Firewalls (WAFs) with rules targeting stored XSS patterns to block malicious payloads targeting this plugin. 6. Keep WordPress core and all plugins updated; watch for official patches or updates from labibahmed42 and apply them promptly. 7. Educate site administrators and users about the risks of XSS and encourage reporting of suspicious site behavior. 8. Consider temporarily disabling or replacing the 3D Photo Gallery plugin if no patch is available and the risk is unacceptable. 9. Conduct regular security audits and penetration testing focused on user input handling in WordPress plugins.